Malware or malicious attacks on computing systems is becoming an ever-increasing security concern to companies and individuals. The most common pathway for Malware to infect computing systems is through the Internet, by email and the World Wide Web.
Malware comes in many different forms designed to infiltrate or damage a computer system without the owner's informed consent. For example, Malware can include computer viruses, worms, and trojan horses, as well as other malicious and unwanted software. However, for a malicious program to accomplish its goals, it must be able to perform its malicious objectives without being deleted, shutdown or blocked. For this reason, concealment methods assist in the installation and running of the malware.
Intrusion detection systems (IDS) are designed to detect malware or other unwanted manipulations of computer systems, mainly through the Internet. For example, IDS are used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware, itself.
Typically, IDS are composed of several components including sensors, consoles and a central engine. Illustratively, a sensor generates security events, and a console is designed to monitor events and alerts and control the sensors. The central engine records events logged by the sensors and uses rules to generate alerts from received security events. There are several ways to categorize IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. Types of IDS include network-based intrusion-detection systems (NIDS), passive systems and reactive/blocking systems such as intrusion prevention systems (IPS).
Typically IDS directly identify the malware or other malicious attacks in transit. However, malicious attacks are becoming ever increasingly sophisticated in their obfuscation that it is sometimes difficult or impossible to detect malware attacks by use of IDS as it is happening. Thus, only specialized anti-malware IDS systems may detect the Malware only after it is already completely uploaded and active on the computing system.
Typically web browser exploits require shellcode to execute malicious code on a remote computing system. A shellcode is a small piece of code used as the payload in the exploitation of software vulnerability. Such exploits are either due to a buffer overflow or a memory corruption condition. Either due to the bug design (in the case of memory corruption) or operating restrictions (in the case of buffer overflows) it is necessary for the shellcode to exist in the browser's heap memory.
In order for the malicious attacker to get their shellcode to heap addresses, it is necessary to “spray” the heap with redundant blocks of memory combining no-operation “sleds” and actual shellcode. As is commonly known, a heap spray is a technique used in exploits to facilitate arbitrary code execution. The term is also used to describe the part of the source code of an exploit that implements such technique. In general, the spraying code puts a certain sequence of bytes at a predetermined location in the memory through an indirect process by allocating many blocks (potentially of a large size individually) on the heap and filling the bytes in these blocks. This technique sees widespread use in exploits for web browsers.
The use of heap spraying has proved simple enough that even novice “hackers” can quickly write reliable exploits for many vulnerabilities in web browsers and web browser plug-ins. Heap sprays for web browsers are commonly implemented in JavaScript. The heap spraying creates large Unicode strings with the same character or combinations of characters (representing a no-operation “sled” and or computer code) repeated many times by concatenating starting with a string of one character and concatenating it with itself over and over. This causes the length of the string to grow exponentially up to the maximum length allowed by the scripting engine. When the maximum length (or an arbitrary lower length) is reached, the heap spraying code starts to make copies of the long string and stores these in an array, up to the point where enough memory has been sprayed. However, when obfuscated, IDS cannot detect nor thwart (stop) the heap spray in order to the defeat the malicious attack. Furthermore, non-obfuscated heap sprays are both rarely observed and still present many challenges for IDS detection.
Accordingly, there exists a need in the art to overcome the deficiencies and limitations described hereinabove.